Stop Ransomware Before It Starts: A 5-Step Plan That Works

Ransomware feels sudden. It rarely is.

Most of the time it's a sequence — initial access, then privilege escalation, then quiet movement around the environment, then data theft, and only at the very end, encryption. The encryption is the part you see. Everything before it happens out of sight.

Microsoft puts it bluntly: in most cases, attackers aren't breaking in — they're logging in. Once a valid account has elevated privileges, they can move faster than most teams can investigate.

By the time the encryption screen appears, the cleanup options shrink fast. The general guidance from law enforcement and security agencies is the same: don't pay. There's no guarantee you get your data back, and payment funds the next attack.

The point of a ransomware plan isn't to stop every threat forever. It's to break the chain early, so most never reach the encryption step at all.

1. Phishing-resistant sign-ins. Most ransomware still starts with stolen credentials. The fastest win is making "logging in" harder to fake. Strong MFA everywhere, with hardware keys for admin and remote-access accounts. Cut off legacy auth methods that bypass MFA.

2. Least privilege + separation. Each account gets only the access it needs to do its job. Admin accounts stay separate from daily-use accounts. No shared logins. The "everyone has access" group is gone.

3. Close the holes attackers already know about. Patching critical vulnerabilities right away. High-risk ones soon after. Cover third-party apps, not just the OS. Internet-facing systems and remote access tools come first.

4. Detect early, not after the fire spreads. Endpoint monitoring that flags weird behavior fast. Clear rules for what gets escalated immediately versus reviewed later. The goal is alerts that lead to action — not a help-desk ticket about files that won't open.

5. Backups that are isolated and tested. Both NIST and the UK's NCSC say the same thing: backups have to be protected from the attacker, and you have to know how to restore from them. Keep at least one copy isolated. Run restore drills on a schedule. Know your recovery order before you need it.

Almost everyone says they have backups. Far fewer have ever restored from one in a real test.

An untested backup is a hope, not a control. Pick a single critical system and run a restore drill on it this quarter. If it works, you know. If it doesn't, you found out at a calm moment instead of a panicked one.

If only one of these five steps gets done this month, make it this one. Recovery is the difference between a bad week and a closed business.

Ransomware does its worst damage when everything feels urgent, unclear, and improvised.

A good ransomware plan is the opposite. It turns weak spots into clear, written defaults. You don't need to rebuild your whole security program overnight — start with the weakest link, tighten it, and standardize it. Then move to the next.

When the basics are enforced consistently and the recovery has been tested, ransomware shifts from a headline-level crisis to an incident you can actually manage.